(In reply to :Cykesiopka from comment #3) > (In reply to David Keeler [:keeler] (use needinfo?) from comment #2) > > * exactly what date do we want to use as the cut-off? (the current date is > > near the release date for 48, I think. Kathleen has proposed using May 31, > > 2016) > > Hmm, a few questions I have: > - Have we communicated with CAs that we intend to do this? The communication is in progress and will go out soon. See https://groups.google.com/d/msg/mozilla.dev.security.policy/wVhRt63bTpU/nQl2ETtjAgAJ (Things for CAs to Fix) > - Do the BR_9_2_* numbers suggest we should be OK with doing this sooner > rather than later? Yes, the telemetry is pretty encouraging. > I prefer earlier, but I get the feeling some CAs are only capable of moving > at a glacial pace... > > > * currently this is not enforced for imported roots. Should there be an > > option to enforce in all cases? > > I guess it depends on why we're doing this? > - If it's mainly to enforce BR compliance and reduce the chance of name > matching issues for public certs, then I guess not. > - If we want to eventually remove the fallback code altogether, then yes, > of course. It would be nice to eventually remove it altogether, but I think it will be a long time until we can. (I guess we can keep gathering telemetry and see how things go.) > If we do want to enforce this for imported roots though, we're probably > going to have to implement at least a web console warning or something for > quite a long time, unless we want people to come screaming at us when we > break their private PKI or whatever. Might help to have telemetry on these > non-public certs as well (no idea if this would pass privacy review though). Let's start with public roots since we have the data and we're pretty sure we can make this change.
Bug 1245280 Comment 5 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to :Cykesiopka from comment #3) > (In reply to Dana Keeler [:keeler] (use needinfo?) from comment #2) > > * exactly what date do we want to use as the cut-off? (the current date is > > near the release date for 48, I think. Kathleen has proposed using May 31, > > 2016) > > Hmm, a few questions I have: > - Have we communicated with CAs that we intend to do this? The communication is in progress and will go out soon. See https://groups.google.com/d/msg/mozilla.dev.security.policy/wVhRt63bTpU/nQl2ETtjAgAJ (Things for CAs to Fix) > - Do the BR_9_2_* numbers suggest we should be OK with doing this sooner > rather than later? Yes, the telemetry is pretty encouraging. > I prefer earlier, but I get the feeling some CAs are only capable of moving > at a glacial pace... > > > * currently this is not enforced for imported roots. Should there be an > > option to enforce in all cases? > > I guess it depends on why we're doing this? > - If it's mainly to enforce BR compliance and reduce the chance of name > matching issues for public certs, then I guess not. > - If we want to eventually remove the fallback code altogether, then yes, > of course. It would be nice to eventually remove it altogether, but I think it will be a long time until we can. (I guess we can keep gathering telemetry and see how things go.) > If we do want to enforce this for imported roots though, we're probably > going to have to implement at least a web console warning or something for > quite a long time, unless we want people to come screaming at us when we > break their private PKI or whatever. Might help to have telemetry on these > non-public certs as well (no idea if this would pass privacy review though). Let's start with public roots since we have the data and we're pretty sure we can make this change.